Skip to content
Control Stack logo Control Stack
ISM-1926 ASD Information Security Manual (ISM)

Ensure Exclusive Usage of Microsoft AD Servers

Ensure Microsoft AD servers only run their intended roles, no additional apps unless security-related.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceConfiguration management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Services
Official control statement
Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are only used for their designed role and no other applications or services are installed, unless they are security related.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure that certain types of Microsoft servers, which help manage who can access what in your computer systems, are used only for their specific purposes. This matters because if these servers are used for other things, they could be more vulnerable to attackers who might gain access to your sensitive information.

Why it matters

Multipurpose use of Microsoft AD servers increases attack surface, risking critical access controls and potential data breaches.

Operational notes

Regularly audit server roles and maintain an inventory to ensure no unauthorised applications are installed on AD servers.

Implementation tips

  • The IT team should conduct an initial review of all Microsoft Active Directory (AD) servers. They need to list all services running on these servers and verify they match the intended purposes only. This ensures the servers are not doing anything extra that could add risk.
  • Managers should liaise with the IT team to establish clear rules for what can be installed on AD servers. These rules will help prevent unnecessary applications from being installed. An email policy announcement can inform everyone about these rules.
  • IT team should configure alerts to notify them if any non-security application is installed. They can use monitoring software that flags changes. This will allow immediate action if something unexpected appears on the server.
  • System administrators should routinely check for updates specifically intended for Microsoft AD services. Once identified, they should apply these updates as necessary. Keeping systems updated ensures they remain secure and operate smoothly.
  • HR should collaborate with IT to provide training for staff about the importance of this control. Regular workshops can help users understand why safeguarding these servers is crucial and how their behaviour can affect server security.

Audit / evidence tips

  • Ask: the server inventory list: Request a list of all Microsoft AD servers and their roles

    Good: is an accurate and comprehensive list with no missing roles

  • Ask: to see the server configuration records: Request documents that detail what is installed on each AD server

    Good: is documentation showing compliance with the specified roles

  • Ask: the written policy that defines what can and cannot be installed on AD servers

    Good: is a clear, enforced policy with staff acknowledgment

  • Ask: to review alert logs: Request logs from the monitoring software that show all installations on AD servers

    Good: includes active monitoring and swift resolution of flagged issues

  • Ask: about training records: Request records of staff training sessions on server management. Look if training includes topics relevant to this control and participation records

    Good: is regular, relevant training with high staff attendance and comprehension

Cross-framework mappings

How ISM-1926 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.9 ISM-1926 mandates a hardened configuration baseline for AD-related servers by restricting them to their designed roles
Annex A 8.19 ISM-1926 requires that Microsoft AD DS/AD CS/AD FS/Entra Connect servers are used only for their designed role, with no additional applic...

E8

Control Notes Details
Supports (1)
E8-AC-ML3.1 ISM-1926 reduces the attack surface of AD servers by ensuring they only perform their intended roles without unrelated services

Mapping detail

Mapping

Direction

Controls